The Green Sheet Online Edition

November 23, 2015 • Issue 15:11:02

Congress takes on security, privacy, pot, CFPB

By Patti Murphy

The 114th Congress, which began in January 2015 and runs through next year, has not been especially active on banking legislation. A handful of bills introduced in the House and the Senate could have implications for financial institutions, networks and customers, if approved. Most, however, have advanced little through the legislative process. The most common themes are data security and consumer privacy, bank accounts for state-sanctioned marijuana dispensaries, and the Consumer Financial Protection Bureau.

It's about sharing

Banks and other businesses are about to get new tools in the war on cybercriminals, even if they don't want them. Both chambers of Congress have now approved legislation permitting voluntary sharing of information about cyber threats and defensive measures targeting those threats.

The Cybersecurity Information Sharing Act (CISA), S.754, is now headed to a conference committee where House and Senate leaders will work out differences in the two chambers' versions of the legislation before final votes are taken and the legislation is sent on for the President's signature. Final action is not expected before next year.

The CISA, which is vehemently opposed by technology companies and consumer groups, alike, is supposed to make it easier for tech companies to voluntarily share with the federal government information about cyber attacks. It instructs federal government agencies to create standards for submitting, receiving and sharing threat information. And it includes protections against liability lawsuits for companies that share information.

Groups representing financial institutions generally favor the legislation. "CISA facilitates increased cyber intelligence information sharing between the private and public sectors, and strikes a balance between protecting consumer privacy and allowing information sharing on serious threats to our nation's critical infrastructure," said Frank Keating, President and Chief Executive Officer at the American Bankers Association. Keating cautioned, however, that sharing must remain a voluntary process.

Much of the opposition to the CISA centers on fears about government spying and concerns over the security of information in government databases. Also, numerous experts have noted that most of the information targeted is already being collected by the Department of Homeland Security.

Too much information

Some three dozen technology experts (including executives from Amazon Inc., Cisco Systems Inc., Mozilla Corp. and Twitter Inc.) signed a letter seeking nay votes on the bill, insisting the legislation was overkill.

"We do not need new legal authorities to share information that helps us protect our systems from future attacks," the letter stated. "When a system is attacked, the compromise will leave a trail, and investigators can collect these bread crumbs. Some of that data empowers other system operators to check and see if they, too, have been attacked, and also to guard against being similarly attacked in the future."

An equally large group of respected academics voiced similar concerns in an open letter to the Senate. Many opponents are concerned the bill, if enacted, would trigger large amounts of personally identifiable customer information flowing between federal agencies. And as the breach earlier this year at the U.S. Office of Personnel Management demonstrated, even government networks can be compromised.

"Sharing more personal information with the government heightens the risk that hackers will poach data from an insecure federal data base, and add background noise from information unrelated to cyber threats," said Sen. Ron Wyden, D-Ore., in a statement following the vote. Wyden, a vocal opponent of the bill, proposed several amendments during Senate consideration to eliminate "a few of the bill's worst flaws," he said.

A House version of the measure (the Protecting Cyber Networks Act) includes a provision requiring the General Accounting Office to investigate how personal information gets scrubbed from data that is to be shared with federal agencies. That bill also would sunset the reporting provisions after seven years. A spokesman said the White House supports the House legislation and that the President is eager for a bill to sign.

Data breach information

Separately, lawmakers have been pushing for federal standards for banks and other businesses to safeguard personal consumer information and notify consumers if and when systems containing data are breached.

Today, breach notification requirements are dictated by state, not federal law. As a result, breached companies must comply with a patchwork of laws depending on where individuals affected by breaches reside. It can get complicated.

Karla Grossenbacher, a partner in the Washington, D.C., law firm Seyfarth Shaw LLP, addressed the dilemma in a July 2015 post to the Congress Blog, published by The Hill. "For example, many companies in the Washington, D.C. area collect personally identifiable information from customers who live in D.C., Maryland and Virginia, and also have employees who live in those states. D.C., Maryland and Virginia each has its own breach notification law, and they differ in a number of ways," Grossenbacher wrote.

Maryland is said to have some of the toughest requirements. By comparison D.C. requirements are relatively lenient. (D.C. law, for example, doesn't dictate what information must be disclosed to customers whose records have been breached.) "In the case of a company with nationwide operations, almost 50 different laws containing notification procedures would apply to the same breach," Grossenbacher stated.

Legislation pending at the committee level in both the House and the Senate would remedy the situation with federal breach notification standards. The Personal Data Notification and Protection Act, drafted by the White House and now pending in the House as H.R. 1704, would establish a 30-day notification requirement of data breaches, faster notice to credit reporting agencies (when possible), and enforcement by the Federal Trade Commission concerning violations constituting unfair and deceptive practices. The FTC would have to coordinate regulations with the Consumer Financial Protection Bureau and the Federal Communications Commission. (Similar recommendations are contained in several bills pending in the Senate.)

In the absence of concrete action on federal legislation, several states have been passing new get-tough laws regarding breach notifications. California, the first state ever to enact a data breach notification law, recently amended that law to set forth specific standards for the formatting and language used when notifying consumers of possible data breaches.

The California law now also specifically addresses the use of encryption to avoid problems with breached data. The state's law has long included an exemption from notification requirements for encrypted data, but it never actually defined encryption, said Bob Braun, an attorney with Jeffer Mangels Butler & Mitchell LLP. Now the law specifically requires "a security technology or methodology generally accepted in the field of information security." The message for banks and other businesses, Braun said, is "pause before deploying new, customized or proprietary solutions that may not be considered 'generally accepted.'"

SIDE NOTE: Banks as 'gold standard' for consumer trust

Bank bashing has become commonplace. So, too, have data breaches. Yet when it comes to keeping things (like money and information) safe, banks have set the gold standard for consumer expectations, according to the American Bankers Association.

The ABA commissions Ipsos Public Affairs each year to survey a pool of 1,000 consumers. One of the questions posed each year is, "Who do you trust most to keep your payments safe?" Seventy-five percent of consumers this year said banks, up from 73 percent in 2014, the ABA reported. Just 1 percent said major retailers, and 4 percent said they most trusted alternative payment service providers like PayPal Inc..

"Banks have a long history of protecting their customers' money whether in the vault or online," said Doug Johnson, the ABA's Senior Vice President for Payments and Cybersecurity Policy. "Banks are the gold standard in security, and customers know their money is safe when it's in the bank."

Banking pot shops

Legal marijuana sales represent a huge and growing market for banks and other payments companies, if only the federal government would condone the business. More than half of U.S. states have laws on the books that permit the sale and use of marijuana for medical purposes; a smaller number have approved it for recreational purposes, as well. Legal marijuana shops generated $2.7 billion in sales in 2014, and that is expected to grow to $11 billion by 2019, according to The ArcView Group, an investment research firm. However, pot remains illegal under federal statutes.

"The federal statutory barriers include the Controlled Substance A cg, USA Patriot Act, the Bank Secrecy Act, Racketeer Influence and other federal statutes," the ABA said in a 2014 statement. The ABA said it has no official position on the issue.

Also in 2014, the U.S. Department of the Treasury told banks and credit unions they would not be prosecuted for doing business with pot shops, provided they abided by extensive rules and closely scrutinized the activities of these customers.

However, in July 2015, the National Credit Union Administration rejected an application for a Colorado credit union after the Federal Reserve Bank of Cleveland declined to grant the institution a clearing account. The credit union, Fourth Corner Credit Union, which asserts it heeded the rules the Treasury Department set out last year, is now suing both the NCUA and the Kansas City Fed in federal district court in Denver.

In a recent filing in the case, the Kansas City Fed argued that federal law must trump state law. "The Court would not entertain other such attempts – such as if Colorado enacted a scheme to allow trade in endangered species or trade with North Korea in derogation of federal laws, and then chartered a credit union to handle the finances of companies conducting such illegal trade. The present situation similarly cannot be sanctioned," the Reserve Bank wrote.

A handful of bills have been introduced in Congress over the past several years that would legitimize pot shops under federal law, but none has garnered enough support to warrant a vote. The Marijuana Business Access to Banking Act of 2015 (S. 1726 and H.R. 2076), was introduced in April 2015 by Sen. Jeff Merkley, D-Ore., and Rep. Ed Perlmutter, D-Colo. The legislation is intended to provide a safe harbor for financial institutions that work with state-sanctioned pot shops.

Meanwhile, earlier this month, Democratic Presidential hopeful Sen. Bernie Sanders, D-Vt., declared he was introducing legislation that would remove marijuana from the federal government's list of "dangerous" substances and let states decide the legalization question.

Dodd-Frank, CFPB under attack

The omnibus banking reform bill known as the Dodd-Frank Act has been an ongoing source of debate in Washington since its enactment in 2010. Efforts to gut the legislation were batted down this fall when ranking Republicans tried to attach amendments to repeal key provisions to a much needed federal funding bill. Dodd-Frank repeal also has become a rallying cry for Republican presidential hopefuls.

In September, the House Financial Services Committee approved legislation to restructure the CFPB, the federal consumer watchdog agency created by the legislation. One bill would replace the Director of the CFPB with a five-member bipartisan commission. The other calls for a presidentially appointed inspector general to be an independent overseer of the bureau.

The CFPB has been engulfed in controversy since its inception. The debate initially was along party lines, with Republicans arguing the agency, as created, lacked checks and balances. (The consumer watchdog agency, for example, has no direct line of accountability to Congress and is funded through the Federal Reserve.) As the House vote and recent statements by Democrats have revealed, though, opposition is beginning to cut across party lines.

"There is a growing bipartisan drumbeat on Capitol Hill to bring the CFPB out of the shadows and have it operate, and regulate, in plain sight of the consumers it was created to protect," said Pat Morris, CEO of the Association of Credit and Collection Professionals.

Representatives Kyrsten Sinema, D-Ariz., and Randy Neugebauer, R-Texas, explained the need for change in an op-ed piece published in the Wall Street Journal. "A commission structure at the CFPB would promote predictability in rulemaking by preventing a new director from unilaterally and abruptly reversing the decisions made by a previous director," they wrote. "It would also help to reduce the risk of regulatory capture, as it is easier for special interests to inveigle one person than five." The two lawmakers pointed out that the Consumer Product Safety Commission, the Federal Trade Commission and the Securities and Exchange Commission are each governed by boards for much the same reason.

Separately, legislation approved by the House and now awaiting Senate consideration seeks to bring greater transparency to the CFPB. H.R. 1265, the Bureau Advisory Commission Transparency Act would amend Dodd-Frank to make public CFPB interactions with outside advisory committees. Most federal entities have advisory committees. The Congressional Research Service estimates there are about 1,000 such committees currently advising the President and various federal departments and agencies on a diverse set of issues.

Most of these are subject to the Federal Advisory Committee Act (FACA), which requires meetings with advisory groups be open to the public. Those working with the Central Intelligence Agency and the Federal Reserve are exempt. Since the CFPB was designated under Dodd-Frank as an independent agency within the Fed, the agency has argued that meetings with its advisory committees need not be public. (The CFPB has four advisory committees: one each representing consumers, credit unions, community banks and academia.) H.R. 1265 would eliminate that loophole and assure the CFPB operates in compliance with FACA.

The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.